Certain scenarios cause a 403 forbidden when trying to establish the WS connection

[longwa]

When adding the endpoint, the allowed origins should be set with a wildcard to allow for certain proxy and firewall scenarios to work properly.

ser.addEndpoint(endpoint).setAllowedOrigins("*").withSockJS()

I've tested this with Grails 2.5.4 on the 1.3.0 version and it does fix our problem with WS not working properly through our VPN. There's a stack overflow article discussion this same issue with this solution accepted.

I can submit a PR if needed.

[zyro23]

i think it makes sense that the same origin policy is enforced by default. however, being able to override that is a must-have.

grails3 version of the plugin: i would say all fine because it is easy to just use a custom websocket config

grails2 version: we could

• either add another config setting allowedOrigins (List<String>)
• or you use useCustomConfig = true, which has the "drawback" that you need to define the GrailsSimpAnnotationMethodMessageHandler manually if you want to use grails controllers as message handlers

what do you think? appreciate your feedback!

[longwa]

I like the idea of having an allowedOrigins config setting. That seems to fit best into the Grails 2 version. I haven't looked at the Grails 3 version but it sounds like the workaround there is acceptable (unless the config setting can be included easily there too).

[dtamm]

@zyro23 setting

grails.plugin.springwebsocket.allowedOrigins = ["*"]

in the Config.groovy under grails 2 doenst work for me, or have i misunderstood your hint above?

[dtamm]

@longwa do you have the Stackoverflow link for me?

[longwa]

@dtamm The configuration isn't available in 1.3.0, the proposal is to make this configurable if I'm understanding correctly.

Here is the stackoverflow with the suggestion to add the setAllowedOrigin("*") when creating the endpoint.

http://stackoverflow.com/questions/29677418/websockets-over-https-403-forbidden

[dtamm]

ah okay, so i misunderstood :) and you have an workaround for grails 2? or was it for grails 3?

[zyro23]

"workaround" for grails 2 would be to use useCustomConfig = true and use a custom web socket config. however ill try to take care of allowedOrigins on the 1.3.x branch today or tomorrow.

[longwa]

@zyro23 Thanks. I've built a custom version for now so no rush for us. If you have other changes for this branch it can certainly wait. I'd love to move to Grails 3 but I don't see that happening with our application anytime soon unfortunately.

[zyro23]

just published 1.3.1, closing this one. if you get the chance to try it out, a quick feedback here if all works out as expected would be appreciated. my local tests using allowedOrigins = ["*"] worked fine.

[zyro23]

cool. hit this today myself (grails 3 app thou). tried to fix the cause instead of just using setAllowedOrigins("*"), with success. my proxy did not set the Forwarded / X-Forwarded- header(s) correctly. ref:

• https://github.com/spring-projects/spring-framework/blob/v4.3.0.RELEASE/spring-web/src/main/java/org/springframework/web/util/WebUtils.java#L810
• https://github.com/spring-projects/spring-framework/blob/v4.3.0.RELEASE/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java#L670